EnRoute Kubernetes Ingress Gateway

EnRoute Universal Gateway

EnRoute Universal Gateway is a flexible API gateway built to support traditional and cloud-native use cases. It is designed to run either as a [Kubernetes Ingress Gateway, Standalone Gateway, Horizontally scaling L7 API gateway or a Mesh of Gateways] (/blog/enroute-topologies/) . Depending on the need of the user, the environment, the application, either one or many of these solutions can be deployed.

A consistent policy framework across all these network components makes the EnRoute Universal Gateway a versatile and powerful solution.

What this article covers

This article covers how to get started with the EnRoute Kubernetes Ingress Gateway. The minimum requirement is a working Kubernetes cluster.

To get a more detailed understanding of EnRoute Universal Gateway and its architecture, refer to the article here To run EnRoute outside of kubernetes as a standalone gateway, refer to the article on standalone gateway

EnRoute also supports several other topologies including a Standalone Gateway. Only the Kubernetes Ingress topology is covered in this article.

Configure EnRoute using helm

A simple non-SSL example of EnRoute gateway with Lua and Rate-Limit filters can be programmed using the EnRoute helm chart.

helm repo add saaras https://getenroute.io
helm install enroute-demo saaras/enroute

This installs the EnRoute Ingress API Gateway with a simple service called hello-enroute

$ kubectl get svc -n enroutedemo
NAME            TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
enroute         LoadBalancer   10.96.161.15   152.67.225.80   80:32584/TCP,443:32625/TCP   66s
hello-enroute   ClusterIP      10.96.71.135   <none>          9090/TCP,9091/TCP            66s

Use the External IP to send traffic

curl -s 152.67.225.80 | wc -l

Trigger rate-limits by sending a burst of traffic

while true; do curl -vvv 152.67.225.80 ; done

Understanding EnRoute configuration setup in previous step

GatewayHost

GatewayHost is a way to expose your services running inside Kubernetes.

apiVersion: enroute.saaras.io/v1beta1
kind: GatewayHost
metadata:
  labels:
    app: hello-enroute
  name: hello-enroute-gatewayhost-notls
  namespace: enroutedemo
spec:
  virtualhost:
    fqdn: '*'
    filters:
      - name: luatestfilter
        type: http_filter_lua
  routes:
    - conditions:
      - prefix: /
        header:
          name: ":method"
          exact: "GET"
      filters:
        - name: rl2
          type: route_filter_ratelimit
      services:
        - name: hello-enroute
          port: 9090

Filters attached to GatewayHost can be used to control traffic flowing to the exposed service

Filter

Filters provide fine-grained control to control access to service. There are several features supported by EnRoute.

Lua Filter

This config invokes a function for an incoming request on request and response path

apiVersion: enroute.saaras.io/v1beta1
kind: HttpFilter
metadata:
  labels:
    app: hello-enroute
  name: luatestfilter
  namespace: enroutedemo
spec:
  name: luatestfilter
  type: http_filter_lua
  httpFilterConfig:
    config: |
        function envoy_on_request(request_handle)
           request_handle:logInfo("Hello World request");
        end

        function envoy_on_response(response_handle)
           response_handle:logInfo("Hello World response");
        end
Rate Limit config for Filter

The following config limits every http request from a unique IP.

apiVersion: enroute.saaras.io/v1beta1
kind: GlobalConfig
metadata:
  labels:
    app: hello-enroute
  name: rl-global-config
  namespace: enroutedemo
spec:
  name: rl-global-config
  type: globalconfig_ratelimit
  config: |
        {
          "domain": "enroute",
          "descriptors" :
          [
            {
              "key": "x-forwarded-for",
              "descriptors" :
              [
                {
                  "key" : "x-forwarded-proto",
                  "value" : "http",
                  "rate_limit" : { "unit" : "second", "requests_per_unit" : 2 }
                }
              ]
            }
          ]
        }

Adding SSL

The above config does not add SSL config. For SSL to work, we need a certificate installed with the appropriate domain name. As an example, we’ll use demo.saaras.io as the domain name.

  • Create secret for demo.saaras.io
kubectl -n enroutedemo create secret tls tls-demo --cert=demo.cert --key=demo.key
  • Reference the secret in GatewayHost
 1apiVersion: enroute.saaras.io/v1beta1
 2kind: GatewayHost
 3metadata:
 4  labels:
 5    app: hello-enroute
 6  name: hello-enroute-gatewayhost-notls
 7  namespace: enroutedemo
 8spec:
 9  virtualhost:
10    fqdn: 'demo.saaras.io'
11    tls:
12      secretName: tls-demo
13    filters:
14      - name: luatestfilter
15        type: http_filter_lua
16  routes:
17    - conditions:
18      - prefix: /
19        header:
20          name: ":method"
21          exact: "GET"
22      filters:
23        - name: rl2
24          type: route_filter_ratelimit
25      services:
26        - name: hello-enroute
27          port: 9090
  • A CNAME record that maps this domain to the public domain provided by LoadBalancer service by AWS. When passing traffic, we use this domain.
cname

EnRoute Config Model across Kubernetes Ingress Gateway and Standalone Gateway

EnRoute can be used to protect services outside kubernetes using the standalone gateway or services running inside kubernetes.

EnRoute follows a configuration model similar to Envoy and is extensible using Filters. It uses filters to extend functionality at the global Service level and per-route level. The config objects used for this are - GatewayHost, Route, HttpFilter, RouteFilter and Service as shown here for Kubernetes gateway.

Regardless of where the workload runs, a consistent service policy can be defined once and applied to secure any service running inside or without Kubernetes using Envoy.

EnRoute Config Model

EnRoute provides key functionality using modular filters which make it easy to secure any service.